In a recent security advisory by the National Cyber Security Centre of the UK and its partners in the Five Eyes alliance, it has been discovered that cyber criminals are increasingly exploiting older vulnerabilities rather than newly disclosed flaws.
The report, which lists the top 12 commonly exploited vulnerabilities in 2022, sheds light on the strategies employed by cyber criminals. It also underscores the apparent neglect of organizations when it comes to patching security flaws that affect their software and equipment.
Lisa Fong, Deputy Director-General at New Zealand’s National Cyber Security Centre, emphasizes the significance of prioritizing the basics of cyber security. She states that malicious actors continue to succeed using the same techniques repeatedly. Understanding the assets, rapidly applying patches, and acting on CVE reporting are crucial actions that can determine whether an organization is a target or a proactive defender.
Typically, attackers find the most success during the first two years following the public disclosure of a vulnerability. Over time, as organizations patch or upgrade their software, the value of these vulnerabilities diminishes.
The security agencies recommend promptly applying patches in order to thwart attackers, as they would then be compelled to explore other, potentially more resource-intensive avenues of attack. This might involve the development of zero-day exploits or the execution of software supply chain attacks.
Failure to promptly patch vulnerabilities allows attackers to scan for exposed systems, gaining insights into their potential for exploitation. If numerous organizations fail to patch security issues, it can incentivize attackers to develop and sell exploitation tools that enable quicker attacks. These tools can be used for years, as long as the vulnerability remains unpatched.
The most frequently exploited vulnerabilities in 2022 include:
- CVE-2018-13379: Affecting Fortinet SSL VPNs, this vulnerability has been exploited as early as 2020. Its persistence on the list suggests that many organizations have neglected to apply available patches.
- CVE-2021-34473, CVE-2021-31207, and CVE-2021-34523 (ProxyShell): Impacting Microsoft Exchange email servers.
- CVE-2021-40539: A remote code execution flaw in Zoho ManageEngine ADSelfService Plus, which saw exploitation in late 2021 and into 2022.
- CVE-2021-26084: A vulnerability in Atlassian’s Confluence Server and Data Center collaboration tools, which experienced a mass exploitation attempt in late 2021.
- CVE-2021-44228 (Log4Shell): Affecting Apache’s Log4j library, this vulnerability garnered high interest from attackers in the first half of 2022.
- CVE-2022-22954 and CVE-2022-22960: Vulnerabilities in VMware’s products that allowed for remote code execution, privilege escalation, and authentication bypass.
- CVE-2022-30190: A vulnerability impacting the Microsoft Support Diagnostic Tool.
- CVE-2022-26134: A critical remote code execution vulnerability in Atlassian Confluence and Data Center.
- CVE-2022-1388: A vulnerability allowing attackers to bypass iControl REST authentication on F5 BIG-IP application delivery and security software.
Eric Goldstein, Executive Assistant Director for Cyber Security at CISA, highlights the need for technology providers to address categories of vulnerabilities. He states that until then, malicious actors will continue to exploit organizations worldwide. It is crucial for every enterprise to prioritize the mitigation of these vulnerabilities and for technology providers to take responsibility for their customers’ security outcomes by reducing the prevalence of such vulnerabilities through secure design.